Bug 1741306
| Summary: | sssd-kcm: type confusion on KDC offset | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Robbie Harwood <rharwood> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | apeetham, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sbose, sgoveas, sssd-maint, tscherf |
| Target Milestone: | rc | Flags: | jhrozek:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.2.3-2.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:56:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Robbie Harwood
2019-08-14 17:57:28 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4063 Master: - c580c76a2affc377850303cc81a1519075d174f2 This bug was fixed as part of the rebase we did in RHEL 8.2.0. It would be good to fully ack it and include in the erratum. Please add steps to test (In reply to Steeve Goveas from comment #4) > Please add steps to test Hi, please see the description of https://bugzilla.redhat.com/show_bug.cgi?id=1757299#c0. - make sure sssd-kcm is installed so that KCM is used as default ccache type - log in with password to e.g. an IPA client to get a Kerberos ticket and make sure with klist it is stored with KCM - try to ssh to the same host, it should work with the Kerberos ticket without asking for a password HTH bye, Sumit # versions:
sssd-client-2.2.3-18.el8.x86_64
sssd-ipa-2.2.3-18.el8.x86_64
sssd-kcm-2.2.3-18.el8.x86_64
sssd-dbus-2.2.3-18.el8.x86_64
sssd-2.2.3-18.el8.x86_64
sssd-nfs-idmap-2.2.3-16.el8.x86_64
python3-sssdconfig-2.2.3-18.el8.noarch
sssd-common-pac-2.2.3-18.el8.x86_64
sssd-ldap-2.2.3-18.el8.x86_64
sssd-tools-2.2.3-18.el8.x86_64
sssd-common-2.2.3-18.el8.x86_64
sssd-ad-2.2.3-18.el8.x86_64
sssd-krb5-common-2.2.3-18.el8.x86_64
sssd-proxy-2.2.3-18.el8.x86_64
sssd-winbind-idmap-2.2.3-18.el8.x86_64
sssd-krb5-2.2.3-18.el8.x86_64
Verification from AD
=====================
1. Join the system to Windows
[root@client1 ~]# realm join -U Administrator -v SARABHAI.TEST
* Resolving: _ldap._tcp.sarabhai.test
* Performing LDAP DSE lookup on: 192.168.122.216
* Successfully discovered: SARABHAI.TEST
Password for Administrator:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
* LANG=C /usr/sbin/adcli join --verbose --domain SARABHAI.TEST --domain-realm SARABHAI.TEST --domain-controller 192.168.122.216 --login-type user --login-user Administrator --stdin-password
* Using domain name: SARABHAI.TEST
* Calculated computer account name from fqdn: CLIENT1
* Using domain realm: SARABHAI.TEST
* Sending netlogon pings to domain controller: cldap://192.168.122.216
* Received NetLogon info from: vikram.SARABHAI.TEST
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hpZ9rS/krb5.d/adcli-krb5-conf-MtVCMd
* Authenticated as user: Administrator
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: SARABHAI
* Looked up domain SID: S-1-5-21-1672089527-2408710569-2399489135
* Using fully qualified name: client1.testrealm.test
* Using domain name: SARABHAI.TEST
* Using computer account name: CLIENT1
* Using domain realm: SARABHAI.TEST
* Calculated computer account name from fqdn: CLIENT1
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for CLIENT1$ at: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST
* Sending netlogon pings to domain controller: cldap://192.168.122.216
* Received NetLogon info from: vikram.SARABHAI.TEST
* Set computer password
* Retrieved kvno '6' for computer account in directory: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST
* Checking RestrictedKrbHost/client1.testrealm.test
* Added RestrictedKrbHost/client1.testrealm.test
* Checking RestrictedKrbHost/CLIENT1
* Added RestrictedKrbHost/CLIENT1
* Checking host/client1.testrealm.test
* Added host/client1.testrealm.test
* Checking host/CLIENT1
* Added host/CLIENT1
* Discovered which keytab salt to use
* Added the entries to the keytab: CLIENT1$@SARABHAI.TEST: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/CLIENT1: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/client1.testrealm.test: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/CLIENT1: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/client1.testrealm.test: FILE:/etc/krb5.keytab
* /usr/bin/systemctl enable sssd.service
Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service.
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled
- systemctl enable oddjobd.service
- systemctl start oddjobd.service
* Successfully enrolled machine in realm
[root@client1 ~]# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 CLIENT1$@SARABHAI.TEST
6 CLIENT1$@SARABHAI.TEST
6 host/CLIENT1
6 host/CLIENT1
6 host/client1.testrealm.test
6 host/client1.testrealm.test
6 RestrictedKrbHost/CLIENT1
6 RestrictedKrbHost/CLIENT1
6 RestrictedKrbHost/client1.testrealm.test
6 RestrictedKrbHost/client1.testrealm.test
[root@client1 ~]# kinit niranjan
Password for niranjan:
[root@client1 ~]# klist
Ticket cache: KCM:0
Default principal: niranjan
Valid starting Expires Service principal
03/04/2020 13:09:28 03/04/2020 23:09:28 krbtgt/SARABHAI.TEST
renew until 03/05/2020 13:09:26
[root@client1 ~]# ssh niranjan.test
FIPS mode initialized
Last login: Wed Mar 4 12:56:32 2020 from 192.168.122.238
[niranjan@client1 ~]$
Verification from IPA
======================
[root@server1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@server1 ~]#
[root@server1 ~]# kinit lheslin
Password for lheslin:
[root@server1 ~]# klist
Ticket cache: KCM:0
Default principal: lheslin
Valid starting Expires Service principal
03/04/2020 13:10:52 03/05/2020 13:10:50 krbtgt/TESTREALM.TEST
[root@server1 ~]# ssh lheslin.test
Last login: Wed Mar 4 12:14:13 2020 from 192.168.122.5
Could not chdir to home directory /home/lheslin: No such file or directory
[lheslin@server1 /]$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863 |